On 15/01/2013 19:43, Blake Dunlap wrote: > Yeah that's the reason. Its not about talking to one another, its about > protecting from attacks that could allow snooping on traffic flows, to > hijacking.
This is mildly troublesome. What you really want in your switch is: - dhcp option 82 support - dhcp snooping - DAI - port security - urpf on first hop - RA guard / dhcpv6 snooping / ND guard if you're providing ipv6 - broadcast / multicast storm control - lan broadcast segmentation for session hijack protection - common L2 domain for public IP address assignment efficiency note that the last two cannot easily be achieved without per-port dhcp filtering. Nick _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
